Code signing Certificates created on demand for Cybercriminals

on Saturday, February 24, 2018|

Many organizations have as of late begun adopting certain
strategies of using code-signing certificates to authenticate their software
and protect it against tampering. Indeed, even Malware authors have for quite
some time been utilizing such certificates for their malicious payloads so as
to sneak past enterprise anti-malware tools.

A New research done by the Recorded Future shows that a
growing number of code-signing certificates in the cyber underground are
actually being created on demand for specific buyers by Dark Web vendors
utilizing stolen corporate identities. Each certificate is unique to the buyer
and is usually delivered within two- to four days.

The certificates are notwithstanding being issued by
reputable companies for example Symantec, Comodo, and Thawte, and are
accessible at costs ranging from $299 to $1,599.

This usage of code-signing certificates to distribute
malware is not new but recently more malware authors have started depending on
the strategy as a way to distribute malware.

"We do not have information on what percentage of all certificates
circulating in the Dark Web were obtained using compromised corporate
credentials," says Andrei Barysevich, director of advance collection at
Recorded Future. "However, considering the malicious intent of hackers
when utilizing such certificates, it is safe to assume that a high proportion
of them were obtained fraudulently."

The certificates issued give users an approach to confirm
the identity of the publisher and the integrity of the code. The Malware
however is difficult to spot since it has been digitally signed with a valid
code-signing certificate as it also happens that a majority of the anti-malware
tools and browsers remain under the impression that the payload can be trusted
because it is from a trusted publisher.

A recent incident that sparked wide spread interest was
reported last October, by a security vendor Venafi that followed a six-month
investigation conducted to show a thriving market for code signing certificates
on the Dark Web.

The research,
conducted by the Cyber Security Research Institute, showed that such
certificates are more expensive than even the stolen US passports, credit
cards, and handguns. Venafi found that stolen code-signing certificates are
being utilized as a part of a wide range of malicious activity including
man-in-the-middle attacks, malware obfuscation, website spoofing, and data
exfiltration and can get up to $1,200 in underground markets.

Recorded Future researchers say that their investigation
shows that the cybercriminals are currently offering new code-signing
certificates and domain-name registration services with SSL certificates.

They first observed a Dark Web vendor selling such
certificates in 2015. From that point onward, they have seen no less than three
new actors selling code-signing certificates obtained from major CAs using
stolen corporate credentials. One of the vendors has even proceeded on to other
activities while the remaining two are as of now continuing to sell counterfeit
certificates primarily to Russian threat actors.

The cost associated with these certificates implies to the
fact that they are likely to be of most interest to hackers with specific
motives in mind, Barysevich says.

"Attackers who are engaged in targeted campaigns, such as
corporate espionage or bank infiltration, are the most likely buyers of
counterfeit code-signing certificates," he added further.

"That being said, there are many applications of compromised SSL
EV {Extended Validation Assurance} certificates, and they could be used in a
more widespread malware campaign."

The essential certificates without EV assurance are in any
case available for $600 from the vendors, or twice the amount of $295 that an
organization would normally pay for a code-signing certificate for legitimate
use.